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Preface 


The  Project  AIR  FORCE  monograph  from  which  this  brief  summary 
was  generated  sought  to  present  a  concise  and  accessible  perspective  on 
the  issues  and  options  entailed  in  realizing  the  Air  Force  leadership’s 
vision  on  flying  and  fighting  in  cyberspace.  The  study  was  conducted 
to  help  clarify  and  focus  attention  on  what  can  be  done  in  that  domain. 
In  this  way  actionable  initiatives  could  be  developed  that  would  move 
the  Air  Force  forward  toward  the  transformation  implied  by  this  bold 
extension  of  the  Air  Force’s  mission  statement. 

As  this  work  was  being  completed  in  August  2008,  the  new  chief 
of  staff  put  the  previously  scheduled  October  1,  2008,  stand-up  of 
Air  Force  Cyber  Command  (Provisional)  (AFCYBER[P])  as  a  major 
command  on  hold  so  that  he  could  consider  significant  decisions  that 
needed  to  be  made  regarding  the  Air  Force’s  role  in  cyberspace  and  the 
nature  of  a  new  command.  After  our  research  was  completed,  the  Air 
Force  took  additional  actions  in  February  2009  to  designate  24th  Air 
Force  as  the  cyber  numbered  air  force  under  Air  Force  Space  Com¬ 
mand.  While  some  of  the  management  and  organizational  issues  we 
addressed  in  our  study  have  now  been  overtaken  by  events,  we  believe 
that  there  remain  a  number  of  organizational  and  functional  issues 
still  to  be  resolved,  and  that  this  report  can  be  used  as  a  framework  to 
(1)  help  the  Air  Force  conduct  a  review  of  actions  taken  to  date  and,  if 
appropriate,  (2)  implement  course  corrections. 

The  research  described  in  this  monograph  is  part  of  a  RAND 
Project  AIR  FORCE  (PAF)  study,  “Defining  and  Implementing  Cyber 
Command  and  Cyber  Warfare,”  sponsored  by  Lt  Gen  Robert  J.  Elder, 
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Jr.,  Commander,  8th  Air  Force.  The  study  was  conducted  in  PAF’s 
Force  Modernization  and  Employment  Program. 

RAND  Project  AIR  FORCE 

RAND  Project  AIR  FORCE  (PAF),  a  division  of  the  RAND  Cor¬ 
poration,  is  the  U.S.  Air  Force’s  federally  funded  research  and  devel¬ 
opment  center  for  studies  and  analyses.  PAF  provides  the  Air  Force 
with  independent  analyses  of  policy  alternatives  affecting  the  devel¬ 
opment,  employment,  combat  readiness,  and  support  of  current  and 
future  aerospace  forces.  Research  is  performed  in  four  programs:  Force 
Modernization  and  Employment;  Manpower,  Personnel,  and  Train¬ 
ing;  Resource  Management;  and  Strategy  and  Doctrine. 

Additional  information  about  PAF  is  available  on  our  Web  site: 
http://www.rand.org/paf/ 
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There  is  serious  concern  within  the  government  and  private  sector  that 
increasing  dependence  on  networked  systems  designed  for  a  friendly 
environment,1  such  as  the  Internet,  may  be  creating  dangerous  vul¬ 
nerabilities  that  malevolent  actors — states,  terrorists,  or  criminals — 
can  increasingly  exploit  to  harm  us.  Similar  concerns  are  being  raised 
over  the  vulnerabilities  of  Department  of  Defense  (DoD)  airborne  and 
space  networks  that  support  military  forces.  Gen  James  Cartwright, 
U.S.  Marine  Corps,  and  former  Commander,  U.S.  Strategic  Com¬ 
mand  (USSTRATCOM)  has  said  that 

America  is  under  widespread  attack  in  cyberspace.  Unlike  in  the 
air,  land,  and  sea  domains,  we  lack  dominance  in  cyberspace  and 
could  grow  increasingly  vulnerable  if  we  do  not  fundamentally 
change  how  we  view  this  battlespace.2 

To  address  these  national  and  Air  Force-specific  concerns,  the  Air 
Force  initiated  a  process  of  standing  up  a  new  cyber  command.  Air 
Force  Cyber  Command  (Provisional)  (AFCYBER[Pj)  was  intended  to 

[r]edefine  Airpower  . . .  extend  our  global  reach  and  power  into 
cyberspace  . . .  Primary  Mission  is  Warfighting:  Integrate  AF’s 


1  Although  packet  switching,  the  Internet’s  primary  communications  protocol,  was 
designed  to  withstand  the  effects  of  nuclear  war. 

2  See  Air  Force  Doctrine  Document  2-X,  Cyberspace  Operations ,  draft,  Washington,  D.C.: 
Headquarters,  U.S.  Air  Force,  January  29,  2008. 
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global  kinetic  and  nonkinetic  strike  capability  . . .  through  the 
full  range  of  military  operations.3 

Significant  decisions  need  to  be  made  about  this  new  com¬ 
mand.4  The  RAND  study  team  worked  directly  with  8th  Air  Force 
and  AFCYBER(P)  to  help  define  the  functions  of  this  new  command, 
including  its  interactions  with  other  parts  of  the  Air  Force,  other  ser¬ 
vices  and  combatant  commands  (COCOMs),  and  other  government 
agencies.  The  study  focused  on  offensive  and  defensive  computer  net¬ 
work  operations  (CNO)  and  electronic  warfare.  It  took  the  need  to 
support  kinetic  and  space  operations  into  account  but  kept  focused 
on  network  operations  as  the  core  of  the  accepted  DoD  definition  of 
cyberspace.  The  goal  was  to  provide  a  clear  taxonomy  in  a  strategies-to- 
tasks  framework  to  facilitate  a  clear  and  convergent  dialogue  support¬ 
ing  the  AFCYBER  development  process. 


Understanding  the  Mission 

With  decades  of  shared  experience,  as  well  as  the  visibility  and  domi¬ 
nance  of  Air  Force  air  and  space  systems,  airmen  understand  what  it 
means  to  “fly  and  fight  in  the  air.”  They  have  also  come  to  understand 
that  the  Air  Force  also  “flies  and  fights”  in  space.  Then  the  Air  Force 
added,  “fly  and  fight  in . . .  Cyberspace”  to  its  mission  statement.5  Unfor¬ 
tunately,  this  new  cyber  domain  has  proven  to  be  harder  to  under¬ 
stand  and  adjust  to.  The  current  overly  broad  and  abstract  definitions 
of  cyberspace  cause  confusion  and  divisiveness,  both  within  and  beyond 
the  Air  Force.  There  have  been  several  definitions  of  cyberspace.  The 


3  Robert  Elder,  “Air  Force  Cyberspace  Command:  Defense  Technology  Forum,”  briefing, 
8th  Air  Force,  June  14,  2007. 

4  However,  as  this  monograph  was  being  completed,  in  August  2008,  a  decision  was  made 
to  reconsider  the  Air  Force’s  roles  and  missions  in  cyberspace  and  the  nature  of  any  associated 
reorganizations. 

5  In  December  2005,  the  Air  Force  changed  its  mission  statement  to:  “The  mission  of  the 
United  States  Air  Force  is  to  deliver  sovereign  options  for  the  defense  of  the  United  States  of 
America  and  its  global  interests  to  fly  and  fight  in  Air,  Space  and  Cyberspace.” 
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Air  Force’s  initial  view  was  that  it  was  a  real  (not  virtual)  domain  cov¬ 
ering  the  radio  frequency  spectrum  and  systems  using  it  “from  DC 
[direct  current]  to  light.”6  A  later  Air  Force  definition  is  more  succinct: 

Cyberspace  is  a  domain  characterized  by  the  use  of  electron¬ 
ics  and  the  electromagnetic  spectrum  ...  to  store,  modify,  and 
exchange  data  via  networked  systems  and  associated  physical 
infrastructures.7 

On  May  12,  2008,  then-Deputy  Defense  Secretary  Gordon  Eng¬ 
land  defined  cyberspace  as 

a  global  domain  within  the  information  environment  consisting 
of  the  interdependent  network  of  information  technology  infra¬ 
structures,  including  the  Internet,  telecommunications  networks, 
computer  systems,  and  embedded  processors  and  controllers.8 

The  language  Air  Force  public  affairs  or  recruiting  offices  use  to 
promote  the  Air  Force’s  cyber  mission,  as  illustrated  by  2008’s  tele¬ 
vision,  newspaper,  and  magazine  “above  all”  recruiting  ads,  has  yet 
to  reflect  the  analytic  convergence  the  definitions  above  imply.9  The 
tensions  resulting  from  the  disparity  between  the  Air  Force’s  publicly 
perceived  role  in  and  its  actual  more-modest  investment  in  cyberspace 
may  also  have  fueled  interagency  disagreements  over  roles,  missions, 
and  authorities — such  as  the  national  cybersecurity  initiative  calls 


6  Lani  Kass,  “A  Warfighting  Domain,”  briefing,  Air  Force  Cyberspace  Task  Force,  Wash¬ 
ington,  D.C.:  Headquarters  U.S.  Air  Force,  September  29,  2006. 

7  Program  Action  Directive  (PAD)  07-08,  Implementation  of  the  Secretary  of  the  Air  Force 
Direction  to  Establish  Air  Force  Cyberspace  Command  (AFCYBER),  Change  1,  Washington, 
D.C.:  Office  of  the  Secretary  of  the  Air  Force,  January  24,  2008,  not  available  to  the  general 
public. 

8  Gordon  England,  “The  Definition  of  Cyberspace,”  memorandum,  Washington,  D.C., 
May  12,  2008,  not  available  to  the  general  public. 

9  See,  for  example,  the  full  page  ad  in  USA  Today,  March  3,  2008,  and  “Air  Force  Ads’ 
Intent  Questioned,”  Los  Angeles  Times,  March  30,  2008.  The  campaign  was  cancelled  in  the 
summer  of  2008. 
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for.10  Carefully  and  clearly  laying  out  the  Air  Force’s  future  role  in  this 
domain  can  help  preempt  such  difficulties. 

Fundamental  precursor  questions  need  clear  and  convincing 
answers.  What  is  cyberspace,  and  what  is  the  Air  Force’s  role  in  the 
domain?  What  does  to  “fly  and  fight  in  cyberspace”  mean?  What,  spe¬ 
cifically,  does  the  Air  Force  plan  to  do  in  cyberspace — what  effects 
does  it  want  to  achieve?  How  will  it  achieve  them?  How  will  it  know 
if  it  has  achieved  them?  Is  “cyber  supremacy”  a  meaningful  concept? 
Is  deterrence  a  tractable  approach  to  security  in  cyberspace?  The  Air 
Force  needs  a  simple,  direct,  explicit,  and  actionable  discussion  on  what 
AFCYBER  is  really  about.  We  believe  that  AFCYBER  can  be  a  respon¬ 
sible,  capable  partner  in  a  substantially  wider  national  security  effort. 

A  compelling  case  can  also  be  made  for  a  central  cyber-focused 
entity  to  (1)  “organize,  train,  and  equip”  future  cyberwarriors;  (2) 
integrate  and  deconflict  the  various  cyber  efforts  across  the  Air  Force; 
(3)  manage  external  coordination;  and  (4)  advocate  for  cyber  in  the  Air 
Force  corporate  process.  Whether  this  organization  should  be  a  new 
major  command  (MAJCOM),  however,  is  less  clear,  particularly  in 
today’s  national  security  environment.  But  creating  AFCYBER  cannot 
be  just  an  organizational  or  bureaucratic  exercise.  Its  creation  should 
be  a  key  element  in  the  process  of  defining  how  the  Air  Force  extends 
its  operations  in  the  new  domain — how  it  integrates  cyberoperations 
with  operations  in  air  and  space.  This  journey  ought  to  be  guided  by  an 
understandable,  actionable,  affordable,  and  accepted  vision. 

During  the  course  of  our  research,  which  focused  on  the  initial 
plans  for  a  cyber  MAJCOM,  AFCYBER,  the  Air  Force  placed  them  on 
temporary  hold  to  assess  its  role  in  cyberspace  and  the  responsibilities 
of  a  new  command  more  thoroughly.  The  Air  Force  then  took  further 
steps  after  our  research  was  complete: 


10  George  W.  Bush,  “Cyber  Security  and  Monitoring,”  Washington,  D.C.:  The  White 
House,  National  Security  Presidential  Directive  54  (also  Homeland  Security  Presidential 
Directive  23),  January  8,  2008. 
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•  The  definition  of  cyberspace  was  refined:  a  physical  domain  includ¬ 
ing  multiple  interconnected  computer  and  telecommunications 
networks,  network  operations,  processors,  and  controllers. 

•  The  24th  Air  Force  was  activated  as  the  cyber  numbered  air  force 
(NAF)  within  Air  Force  Space  Command  (AFSPC)  and  desig¬ 
nated  a  strategic  command  under  a  major  general.  It  consists  of 
an  operational  center  and  three  subordinate  wings:  67th  Network 
Wing;  688th  Information  Operations  Wing;  and  689th  Combat 
Communication  Wing.  It  does  not,  however,  have  a  separate  elec¬ 
tronic  warfare  wing  (EWW). 

•  The  missions  for  the  new  cyber  NAF  (establish,  operate,  defend, 
exploit,  attack)  were  defined  and  refined  to  fit  USSTRATCOM 
Unified  Command  Plan  2008  mission  needs  more  precisely. 
These  needs  include  supporting  direct  global  information  grid 
operations  and  defense;  planning  against  designated  cyberspace 
threats;  planning  and  executing  operational  preparation  of  the 
environment  in  coordination  with  the  Global  Command  and 
Control  System;  executing  cyberspace  operations  as  directed; 
coordinating,  advocating,  integrating  various  cyber  activities;  and 
planning,  coordinating,  and  executing  nonkinetic  global  strike.11 

Recognizing  that  a  number  of  organizational  and  functional 
issues  are  still  unresolved,  this  monograph  can  be  used  as  a  framework 
to  (1)  help  the  Air  Force  review  actions  taken  to  date  and,  if  appro¬ 
priate,  (2)  implement  course  corrections.  We  note  in  footnotes  how 
changes  implemented  after  the  study  relate  to  observations  and  recom¬ 
mendations  we  made  in  our  completed  research.  Where  “AFCYBER” 
is  used  below,  the  current  realization  is  AFSPC/24th  Air  Force. 


11  PAD  07-08,  Phase  I  of  the  Implementation  of  the  Secretary  of  the  Air  Force  Direction  to 
Establish  Air  Force  Cyberspace  Command  Forces,  Change  3,  Washington,  D.C.:  Headquarters 
U.S.  Air  Force,  February  20,  2009. 
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Observations 

Even  though  the  ostensible  rationale  for  establishing  AFCYBER  is 
straightforward — “cyberspace”  is  a  new  domain  with  emerging  opera¬ 
tions  that  affect  core  Air  Force  missions  and  capabilities — exactly  what 
AFCYBER  is  to  do  is  anything  but  straightforward.  An  explication  of 
more  concrete  missions,  tasks,  and  capabilities  is  necessary. 

Our  initial  approach  to  elucidating  more-concrete  missions,  tasks, 
and  capabilities  was  to  examine  the  Air  Force’s  cyberspace  strategy  and 
doctrine  and  to  attempt  to  drill  down  in  a  strategies-to-tasks  analysis. 
This  analysis  was,  however,  handicapped  by  the  lack  of  consensus  on 
just  what  the  boundaries  of  the  cyberspace  mission  were  and  by  the 
difficulty  of  turning  these  ideas  about  cyberspace  and  cyberpower  into 
strategies  and  actions.  The  next-best  course  was  to  attempt  to  make 
the  potential  breadth  and  complexity  of  these  issues  more  concrete 
by  developing  example  scenarios — missions  and  tasks — based  on  our 
understanding  of  cyberspace,  the  roles  of  current  Air  Force  commands, 
and  the  historical  roles  of  the  Air  Force  vis-a-vis  other  services  and 
agencies  in  cyberspace. 

These  analyses  certainly  have  not  answered  (or  probably  even 
asked)  all  the  right  questions,  but  we  believe  the  issues  we  have  raised 
can  help  inform  the  ongoing  conversations  on  the  national  security 
implications  of  cyberspace  and  the  apportionment  of  roles,  responsi¬ 
bilities,  and  authorities  to  address  these  implications. 

Taking  the  new  DoD  definition  of  cyberspace  (which  is  more 
constrained  than  the  Air  Force’s  initial  concept)  as  a  starting  point,12 
there  are  still  unanswered  questions: 

•  What  does  cyberspace  encompass — what  are  its  functional,  orga¬ 
nizational  and  legal  boundaries,  in  general,  and  how  does  the  Air 
Force  characterize  and  view  its  cyber  domain  and  its  relationships 
with  non-Air  Force  cyberspace  stakeholders,  in  particular?  What 
must  the  Air  Force  do  to  actualize  its  vision? 


12 


England,  2008. 
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National  strategy  emphasizes  why  the  nation  needs  to  secure 
cyberspace  but  how  to  do  so  is  still  contentious.  The  National 
Cyber  Security  Initiative  is  a  responsibility  of  the  Department  of 
Homeland  Security,  which  recognizes  the  need  for  strong  National 
Security  Agency  (NSA)  support.  Other  interagency  players,  how¬ 
ever,  are  still  trying  to  sort  out  and  deconflict  their  roles,  respon¬ 
sibilities,  and  authorities.  The  relative  emphasis  on  mission  areas 
and  roles  and  responsibilities  for  conduct  of  computer  network 
attack  (CNA),  computer  network  defense  (CND),  and  computer 
network  exploitation  (CNE)  operations  are  not  clear.  We  believe 
that  most  key  players  across  the  interagency  organizations  have 
something  to  gain  from  closer  cooperation  and  integration — in 
fact,  that  greater  cooperation  is  a  cyber  sine  qua  non — but  under 
what  terms  and  conditions? 

From  the  Air  Force’s  perspective,  what  are  the  cyber  goals,  objec¬ 
tives,  and  strategies  reflecting  its  service-specific  requirements, 
and  what  capabilities  might  it  provide  the  COCOMs  (and  the 
nation)  to  meet  their  requirements? 

What  organizations  are  in  charge  of  national  security  cyberspace 
operations?  USSTRATCOM  (via  the  Joint  Functional  Compo¬ 
nent  Command-Network  Warfare  [JFCC-NW]  and  the  Joint 
Task  Force-Global  Network  Operations  [JTF-GNO])  would 
seem  to  be  responsible  for  “global”  DoD  cyber  missions,  but  the 
Air  Force  also  has  to  present  cyberforces  to  regional  COCOMs. 
How  much  can  the  Air  Force  do  on  its  own?  How  can  it  work 
with  other  organizations  (especially  NSA)  to 

-  assure  actionable  cyber  situational  awareness 

-  conduct  defensive  activities  without  compromising  effective 
information  sharing 

-  conduct  offensive  cyber  activities  whose  benefits  exceed  their 
costs  and  risks? 

Within  the  Air  Force,  what  is  a  cyberwarrior?  Who  should  be 
responsible  for  organizing,  training,  and  equipping  Air  Force 
cyberforces?  What  is  required  from  all  airmen  to  make  them  more 
aware  of  cyber  threats  and  responses  and  therefore  more  effective 
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in  defending  not  only  the  networks  but  also  more  able  to  conduct 
the  Air  Force  missions  dependent  on  the  networks. 

•  In  the  end,  are  we  headed  toward  strategic  cyberwar,  defined  as 
state-on-state  conflict  carried  out  in  cyberspace  for  the  primary 
purpose  of  compelling  the  other  side  to  accede  rather  than  face 
the  prospects  of  continued  or  greater  pain?13  For  the  most  part, 
many  of  the  techniques  used  for  cyberoperations  in  support  of 
military  forces  would  be  used  in  strategic  cyberwar.  Thus,  the 
organizational  implications  for  the  Air  Force  in  the  former  apply 
to  the  latter  as  well.  That  noted,  strategic  cyberwar  raises  a  sepa¬ 
rate  and  unique  set  of  broad  issues — for  example,  when  and  how  a 
state  should  respond  to  a  cyberattack.  We  have  chosen  to  address 
these  issues  in  a  companion  volume.14 

•  The  Bottom  Line:  What  does  it  mean  to  “fly  and  fight  in  cyber¬ 
space”? 

One  problem  so  far  in  defining  this  new  organization  is  that  most 
of  its  roles  are  currently  being  discharged  by  existing  Air  Force  orga¬ 
nizations,  programs,  and  activities.  The  electronic  warfare  community 
has  a  long-established  berth  within  the  Air  Force.  True,  many  of  their 
offensive  and  defensive  techniques  resemble  their  cyberspace  (according 
to  the  DoD  definition)  counterparts,  but  the  role  that  electronic  war¬ 
fare  principally  plays  within  the  overall  context  of  Air  Force  operations 
(e.g.,  suppression  of  enemy  air  defenses)  is  quite  different  from  what 
might  be  expected  from  certain  cyberoperations  (e.g.,  exerting  strategic 
pressure  on  adversaries  or  limiting  adversary  freedom  of  action  on  the 
Internet).  Cyberspace  could  also  be  a  conduit  for  perception  manage¬ 
ment  actions  as  a  subset  of  information  operations  (IO).  However,  in 
emerging  constructs  for  cyber  and  IO  organizations,  the  medium  and 


13  We  recognize  that  “warfare”  in  cyberspace  could  occur  in  a  number  of  ways  and  could 
involve  overt  or  covert  actions  with  or  without  more-conventional  military  action  at  the 
strategic,  operational,  and/or  tactical  levels.  We  have  highlighted  this  extreme  concept  of 
interstate  “strategic  cyberwar”  as  an  asymptotic  deterrence  test  case. 

14  Martin  C.  Libicki,  Cyberdeterrence  and  Cyberwar ,  Santa  Monica,  Calif.:  RAND  Corpo¬ 
ration,  MG-877-AF,  2009. 


Air  Force  Cyber  Command  (Provisional)  Decision  Support  9 


the  message  are  quite  distinct.  Finally,  cyberspace,  qua  network  infra¬ 
structure,  is  the  substrate  for  all  Air  Force  operations,  but  the  work 
of  establishing  Air  Force  networks  has  long  ago  been  assigned  to  its 
communications  and  computer  communities.  Could  the  work  of  these 
diverse  communities  profit  from  being  folded  into  a  single  AFCYBER 
MAJCOM  or  a  cyber  NAF? 

Organizing  just  the  three  “traditional”  CNO  activities  into  an 
AFCYBER  MAJCOM  is  less  problematic  but  still  raises  concerns. 
Start  with  CND.  The  Air  Force  needs  to  do  this  effectively.  There  is 
also  clearly  an  oversight  and  management  role  to  be  played  within  the 
Air  Force  (currently  discharged  by  the  Air  Force  Network  Operations 
Center  and  the  two  Integrated  Network  Operations  and  Security  Cen¬ 
ters);  perhaps  CND  needs  the  kind  of  emphasis  that  only  a  MAJCOM 
could  provide.  There  is  also  an  opportunity,  perhaps  not  yet  fully  real¬ 
ized,  for  the  Air  Force  to  leverage  NSA’s  capabilities  here.  It  is  clear  to 
us  that,  at  a  minimum,  the  Air  Force  must  know  when  other  DoD  net¬ 
work  defenders  plan  actions  that  could  disrupt  Air  Force  command- 
and-control  networks.  Nevertheless,  most  of  what  it  takes  to  protect 
systems  day  to  day  is  done  in  a  distributed  and  decentralized  fashion 
by  those  who  administer  systems — a  very  local  function  but  one  that 
must  be  appropriately  deconflicted  at  higher  levels.  The  Air  Force  must 
define  its  role  in  “active  response”  (which  we  use  rather  than  the  term 
“active  defense,”  which  carries  some  unintended  negative  connota¬ 
tions)  in  a  manner  that  allows  integration  into  national-level  processes. 

CNE  and  CNA  are  closely  related,  especially  in  dealing  with 
Internet-based  networks.  The  techniques  needed  for  one  overlap  greatly 
with  the  techniques  needed  for  the  other — notably,  accessing  comput¬ 
ers  and  leaving  something  behind  in  the  target  system  to  do  one’s  bid¬ 
ding  later  on.  CNE,  however,  is  clearly  the  domain  of  NSA  within 
DoD.  Both  NSA  and  the  Air  Force  Intelligence,  Surveillance,  and 
Reconnaissance  Agency  (AFISRA)  have  Title  50  authorities,  although 
Title  10  missions  (which  is  to  say,  attack  roles)  can  be  conducted  via 
seamless  interfaces  between  the  Title  50  and  some  Title  10  elements. 
NSA  greatly  outspends  the  Air  Force  in  cyberspace  operations;  the  Air 
Force  does  not  and  cannot  spend  at  the  same  level  as  NSA,  but  it  can 
and  does  leverage  NSA’s  investments  and  access.  The  question  of  just 
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how  much  overlap  and  synergy  is  possible  between  the  Air  Force’s  and 
NSA’s  cyber  interests  and  needs  is  still  open  (e.g.,  the  importance  of 
NSA’s  operations  in  the  Internet’s  transmission  control  protocol  and 
Internet  protocol  (TCP/IP)  world  relative  to  the  Air  Force’s  interest  in 
non-Internet  protocol,  noncommercial  wireless  networks,  such  as  an 
Integrated  Air  Defense  System  and  airborne  networks).  Additionally, 
NSA  is  not  focused  on  electronic  warfare  or  IO. 

The  Air  Force’s  current  CNO  focus  is  on  CND,  which  is  under¬ 
standable  and  appropriate  given  the  Air  Force’s  increasing  dependence 
on  networks.  CND  is  more  than  building  better  firewalls  and  antivirus 
software.  Consequently,  CND  requires  tightly  integrated  CNE  sup¬ 
port  to  allow  defenders  to  see  the  threats  coming  before  they  have  done 
their  damage  (and  perhaps  to  allow  the  Air  Force  to  reach  out  into  the 
adversary’s  cyber  systems  using  CNA  for  “active  response”). 

As  the  Air  Force  and  others  endeavor  to  establish  increased  cyber 
capabilities,  they  must  account  for  the  following  realities  and  issues: 

•  Cyberspace,  even  in  the  DoD  definition,  is  still  very  broad  and 
complex.  How  will  the  Air  Force  construct  integrate  with  joint 
and  national  approaches? 

•  Threat  realities  are  difficult  to  assess,  but  perceptions  are  being 
shaped  and  politicized  by  actions  that  may  or  may  not  be  indica¬ 
tive  of  the  emerging  challenges  (e.g.,  events  in  Estonia  and  Geor¬ 
gia15).  What  role  could  the  Air  Force  play  in  such  cyber  conflicts, 
if  any? 

•  DoD  will  have  to  cope  with  reduced  fiscal  resources  and  lim¬ 
ited  programming  flexibility  as  it  rebuilds  and  recovers  from  the 
post-Cold  War  stresses  on  the  military.  The  Air  Force  must  focus 
on  the  funding  and  manning  of  its  cyber  capability.  What  invest¬ 
ments  will  make  the  most  tangible  contribution  to  establishing 
value-added  cyber  capabilities? 

•  There  are  many  cyber  stakeholders  and  players  within  all  agen¬ 
cies  of  the  national  government  and  commercial  organizations, 


15  See  Mark  Landler  and  John  Markoff,  “Digital  Fears  Emerge  After  Data  Siege  in 
Estonia,”  New  York  Times,  May  29,  2007. 
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especially  within  the  commercial  organizations  associated  with 
critical  infrastructures  so  dependent  on  cyber  infrastructures.  Air 
Force  programs  and  operations  are  highly  dependent  on  informa¬ 
tion  and  networks  operated  by  commercial  partners.  What  roles 
can  the  Air  Force  play  in  interacting  with  these  stakeholders  out¬ 
side  DoD? 

•  The  terrain  of  cyberspace  is  heterogeneous — commercial,  civil, 
and  military;  domestic,  foreign,  multinational,  and  global. 

•  How  can  the  Air  Force  effectively  demonstrate  that  it  is  part  of  a 
DoD-national  team? 


Recommendations 

These  unresolved  issues  and  realities  suggest  the  need  for  a  measured 
approach  to  resolving  the  future  of  Air  Force  cyber  efforts,  focusing 
initially  on  the  most  important  and  least  contentious  cyber  mission: 
assuring  robust  Air  Force  air,  space,  and  terrestrial  network  operations, 
that  is,  CND.  AFCYBER(P)  accepts  this  focus  on  network  defense 
and  information  assurance.  We  further  believe  that  the  command’s 
next  objectives  should  be  to 

•  improve  situational  awareness — not  only  of  Air  Force  networks 
but  also  of  upstream  joint  and  interagency  network  activities  and 
of  the  risks  of  relying  on  critical  infrastructures  shared  with  com¬ 
mercial  partners 

•  integrate  enhanced  active  responses  into  network  operations  (in 
collaboration  with  others) 

•  integrate  active  cyberspace  defenses  (and  selected  offensive  cyber 
capabilities)  with  kinetic  operations  in  air  operations  centers 
(AOCs). 

Will  establishment  of  the  24th  Air  Force  within  the  cyber 
MAJCOM  enhance  CND  capabilities  by 
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•  becoming  the  advocate  for  the  development  and  funding  of  Air 
Force  network  operations  capabilities? 

•  leveraging  available  internal  Air  Force,  joint,  and  interagency 
capabilities? 

•  helping  to  refine  requirements  for  active  defense  capabilities? 

Air  Force  CND  operations  need  to  look  both  inside  service- controlled 
networks  and  outside,  into  the  global  networks  that  the  Air  Force 
depends  on  but  does  not  control  (this  is  why  Air  Force  interfaces  with 
others  is  so  critical). 

Other  questions  still  to  be  resolved  center  on  the  value  of  the  enti¬ 
ties  involved  and  their  organizational  realignments: 

•  the  alignment  of  Air  Force  Network  Operations  Center  and  the 
increased  centralization  of  CND  operations  at  the  Integrated 
Network  Operations  and  Security  Centers 

-  What  is  the  right  balance  of  CND  capabilities  between  decen¬ 
tralized,  local  defense  and  more-centralized  provision  of  situ¬ 
ational  awareness  and  active  response  capabilities? 

•  establishing  improved  external  interfaces  with 

-  USSTRATCOM  (JTF-GNO)  and  NAFs  designated  as 
COCOM  components  ? 

-  AFISRA  and  NSA  for  necessary  CNE  support? 

In  light  of  these  unresolved  issues  and  near-term  objectives,  we 
offer  the  following  recommendations: 

1.  Exploit  the  transition  period  to  better  manage  expectations.  The 
Air  Force  is  building  its  cyberforces  to  assure  its  ability  to  fly 
and  fight  in  a  cyber  threat  environment. 

2.  Sharpen  the  definition  of  cyberoperations.  Key  issues,  in  the 
form  of  questions,  with  our  suggested  responses,  are  as  follows: 
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Is  cyber  the  same 
as  IO? 

No.  Cyber  is  only  a  medium  for  its  own  share  of 
IO,  e.g.,  directed  psychological  operations. 

Do  cyberoperations 
entail  building  and 
using  networks? 

Yes.  "Establishing  the  domain"  is  part  of  the 
AFCYBER  foundation. 

Does  cyber  include 
electronic  warfare? 

Perhaps.  It  is  true  that  analog  and  digital 
systems  and  applications  are  merging  in 
synergistic  applications,  but  whether  including 
electronic  warfare  in  AFCYBER  helps  or 
hurts  electronic  warfare  deserves  more 
study,  particularly  because,  at  present,  not 
all  electronic  warfare  would  be  integrated 
into  AFCYBER.  Further  fractionation  of 
the  electronic  warfare  community  and  its 
capabilities  does  not  seem  likely  to  add  value.3 

Does  cyber  include 

CND? 

Yes,  to  include  active  response.  But  cyber  is 
much  bigger  than  CND. 

Is  cyber  about  more 
than  just  networks? 

Yes,  it  is  also  about  the  security  and  reliability 
of  databases  and  the  algorithms  that  are 
embedded  in  all  our  weapon  systems,  whether 
the  AOC  or  F-22.b 

a  Since  our  research  was  completed  and  in  response  to  PAD  change  3,  the 
Air  Force  has  removed  the  450th  EWW  from  the  administrative  control  of 
the  24th  Air  Force,  thus  defining  the  scope  of  the  cyber  NAF  responsibilities 
more  specifically. 

b  This  was  a  recent  and  serious  concern  for  the  Air  Force  Scientific  Advisory 
Board  but  was  beyond  the  scope  of  the  study  reported  in  this  monograph. 

3.  Define  the  operational  missions,  required  capabilities,  and  force 
structure  across  the  cyber  spectrum  on  which  the  Air  Force 
plans  to  focus  its  efforts.  Ultimately,  AFCYBER  should  develop 
an  investment  strategy  for  network  operations  and  defensive  and 
offensive  capabilities  for  cyberspace.  To  expedite  this,  it  may  be 
desirable  to  create  a  formal  general  officers’  cyberspace  forum  to 
establish  roles  and  missions  for  the  Air  Force  in  cyberspace  and 
to  develop  definitive  resource  requirements  and  programming 
approaches. 

4.  Strengthen  the  relationship  between  AFCYBER  and  NSA, 
building  on  AFISRA’s  current  and  evolving  authorities  and 
operations.  The  Air  Force  is  not  in  a  position  to  match  NSA  in 
terms  of  money  or  manpower — it  must  support,  leverage,  and 
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help  shape  NSA’s  investments  and  operations.  Determine  where 
the  integration  potential  and  synergy  are  greatest,  and  make  it 
so. 

5.  Focus  on  CND,  including  active  responses.  If  anything,  go 
overboard  in  saying  so.  Such  a  focus  is 

a.  necessary  to  keep  the  Air  Force  (literally)  flying 

b.  is  nonthreatening  to  sister  services  and  others  and  will 
also  likely  absorb  the  overwhelming  share  of  Air  Force 
cyberoperations  resources  and  probably  even  the  bulk  of 
AFCYBER’s  resources. 

6.  Develop  systems  and  procedural  hedges  against  the  most  wor¬ 
risome  cyber  vulnerabilities  and  threats.  The  overlay  of  a  con¬ 
ceptual  minimum  essential  information  infrastructure  (MEII) 
to  protect  critical  functionalities  may  be  one  such  approach.16 

7.  Determine  which  AFCYBER  organizational  structure  (e.g., 
AFCYBER  NAF  embedded  in  an  existing  MAJCOM,  such 
as  Air  Combat  Command  or  AFSPC,  or  a  new  AFCYBER 
MAJCOM)  can  best  help  defend  the  Air  Force’s  networks — air, 
space,  and  terrestrial.17  Although  most  network  defense  needs 
to  take  place  at  lower  levels  of  the  organizations,  some  critical 
functions  do  need  high-level,  centralized  direction  and  execu¬ 
tion  (e.g.,  standards,  tools  development,  triage,  and  specialized 
response  capabilities  to  counter  advanced,  persistent  threats). 

8.  The  extent  to  which  the  Air  Force  needs  to  develop  niche  CNA 
capabilities  is  more  of  an  operational  military  than  an  intelli- 


16  The  term  minimum  essential  mformation  infrastructure  refers  to  a  RAND  concept  mod¬ 
eled  after  the  U.S.’s  Cold  War  Minimum  Essential  Emergency  Communication  Network, 
designed  to  be  a  bare-bones  but  robust  means  of  distributing  emergency  action  messages 
to  nuclear  deterrent  forces.  As  far  as  we  know,  the  notional  MEII  concept  has  yet  to  be 
developed.  The  MEII  specifications  must  evolve  out  of  an  understanding  of  context-specific 
mission-essential  functions  to  provide  mission  assurance,  but  efforts  to  determine  these  are 
notoriously  difficult.  See  Robert  H.  Anderson,  Phillip  M.  Feldman,  Scott  Gerwehr,  Brian  K. 
Houghton,  Richard  Mesic,  John  Pinder,  Jeff  Rothenberg,  and  James  R.  Chiesa,  Securing  the 
U.S.  Defense  Information  Infrastructure:  A  Proposed  Approach,  Santa  Monica,  Calif.:  RAND 
Corporation,  MR-993-OSD/NSA/DARPA,  1999. 

17  Since  our  report  was  completed,  the  Air  Force  has  established  a  cyber  NAF  (24th  Air 
Force)  under  an  existing  MAJCOM  (AFSPC). 


Air  Force  Cyber  Command  (Provisional)  Decision  Support  15 


gence  decision.  The  Air  Force  should,  with  discretion,  develop 
selective  offensive  capabilities  enabled  by  intelligence  operations 
in  cyberspace.  The  Air  Force  should  also  develop  disruptive 
capabilities  to  deny  adversaries  use  of  targeted  portions  of  the 
cyberspace  medium.  Intelligence  operators  know  how  to  access 
and  exploit  networks  (CNE).  They  may  know  how  to  disrupt 
and  corrupt  networks,  but  can  they  understand,  predict,  and 
observe  (e.g.,  provide  timely  cyber  damage  assessments)  the 
effects — both  desired  and  undesired — that  their  actions  will 
have  on  an  adversary’s  ability  (or  our  own)  to  wage  war? 

9.  Develop  an  analytical  foundation  for 

a.  assessing  the  benefits  and  risks  of  cyberoperations  (both 
offensive  and  defensive)  in  an  effects-based  context  to  facili¬ 
tate  integration  and  deconfliction  of  cyber  and  kinetic  oper¬ 
ations 

b.  measuring  the  likely  return  on  cyber-specific  investments  to 
answer  one  critical  question:  How  much  is  enough? 

10.  AFCYBER  should  leverage  existing  AFISRA-NSA  relation¬ 
ships  and  activities  to  develop  Air  Force  offensive  cyber  capa¬ 
bilities  and  integrate  them  with  kinetic  operations  to  support 
JFCC-NW  and  NAFs  designated  as  COCOM  components. 
(Is  the  creation  of  the  624th  Operations  Center  in  the  proposed 
24th  Air  Force  the  right  way  to  accomplish  these  goals?) 


Summary 

Many  important  issues  need  to  be  resolved.  The  Air  Force  needs  to 

•  articulate  its  cyber  goals  and  objectives  more  clearly 

•  identify  strategies,  missions,  and  tasks  within  its  purview 

•  continue  to  develop  cyberforces  with  capabilities  to  ensure  Air 
Force-specific  needs  are  met. 

We  believe  there  is  more  to  military  cyberoperations  than  those 
outlined  for  the  more-limited  defensive  cybersecurity  initiatives  across 
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the  government  overall.  The  regional  and  functional  COCOMs  have 
two  concerns  relative  to  cyber:  (1)  mission  assurance  (the  ability  to  con¬ 
duct  operations  in  a  degraded  cyber  environment,  in  which  CND  will 
hopefully  limit  the  degradation)  and  (2)  integrated  attack  (of  which 
CNA  is  just  one  element).  We  believe  that  the  Air  Force’s  goal  should 
be  to  posture  its  cyberforces  for  the  broader  context — integrated  air, 
space,  and  cyberoperations  in  support  of  joint  operations,  with  initial 
emphasis  on  integrating  these  regional  operations  in  an  AOC  under  the 
control  of  a  joint  force  air  component  commander,  while,  at  the  same 
time,  engaging  more  proactively  with  USSTRATCOM  to  help  shape 
and  conduct  global  cyber  missions,  day  to  day  and  in  crisis  and  war, 
through  the  JFCC-NW  and  JTF-GNO.18 

But  the  Air  Force  will  have  to  address  other  key  cyber  issues  we 
have  discussed  here  through  cooperative  efforts  with  its  sister  services 
and  other  interagency  organizations.  To  fully  meet  its  vision  of  flying 
and  fighting  in  cyberspace,  the  Air  Force  will  need  to  proactively 
address  the  partitioning  of  cyber  responsibilities  and  authorities  across 
DoD  and,  eventually,  perhaps,  across  the  interagency  organizations 
that  will  be  responsible  for  defending  the  nation  in  cyberspace.  Cred¬ 
ibility  built  on  established  cyber  capabilities  within  the  Air  Force’s  pur¬ 
view  is  a  prerequisite  for  fulfilling  this  vision. 

Finally,  we  focused  on  computer  network  system-assurance 
aspects  of  cyberspace.  We  recognize,  however,  that  cyberspace  is  really 
an  information  domain,  and  that  information  has  strong  cognitive 
implications.  Information  assurance  is  the  defensive  goal,  while  the 
ability  to  exploit,  disrupt,  and/or  deceive  adversary  information  sys¬ 
tems  and  cognition  is  the  offensive  goal.  Broadening  the  cyberspace 
discussion  to  include  these  cognitive  dimensions  and  applications  adds 
layers  of  complexity,  opportunity,  and  risk  that  were  beyond  the  scope 
of  this  monograph.  Nevertheless,  we  encourage  the  Air  Force  not  to 
lose  sight  of  the  fact  that  it  is  these  less-tangible  cognitive  elements  that 
are  critical  and  that  the  network  hardware  and  software  are  simply 
the  tangible  enablers.  Cyberstrategy  and  tactics,  techniques,  and  pro- 


18  In  a  memorandum  dated  June  23,  2009,  the  Secretary  of  Defense  established  U.S.  Cyber 
Command  under  USSTRATCOM,  replacing  both  JTF-GNO  and  JFCC-NW. 
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cedures  are  only  beginning  to  touch  on  the  IO  opportunities  and  risks 
that  these  technologies  enable,  especially  in  the  context  of  irregular 
warfare  against  nonpeer  asymmetric  adversaries  that  can  become  near 
peers  at  exploiting  information  networks,  such  as  the  Internet. 
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